Monday, July 28, 2008

Despite sleep deprivation and the longest drive of my life, I had a blast at the Last HOPE conference this past weekend.

You'll find the slides for my scheduled (Friday) talk at lasthope_goodspeed.pdf. Saturday's talk was a rerun from TIDC 08; thanks to Marco and Kevin Figueroa for getting me a projector on such short notice. Sunday's workshop was unrehearsed, and I apologize for not taking screenshots.

You'll find me next week at Black Hat 2008 and Defcon 16 in Vegas. In addition to my scheduled talks, I expect to give at least one unscheduled lecture or workshop during Defcon. Email me for details.

The first installment of this series described a method of accessing the EZ430's MSP430 firmware by way of JTAG. That's dandy, but the MSP430 isn't the only microprocessor on the board! This installment will focus on the firmware and reprogramming of the TUSB3410 USB to serial chip, which contains an 8052 microprocessor core.

Section 11 of SLLS519 describes the boot sequence of the TUSB3410. In brief, an I2C EEPROM is used if such a chip is present and it contains an image with the proper signatures. Firmware may also be loaded over USB, in which case the EEPROM is either absent or provides only such minutia as the device ID.

The EEPROM on the Revision 2.0 boards--those with six pins for the target device--is the CAT24C32 by Catalyst Semiconductor. Revision 1.1 used the smaller CAT24C16 chip, presumably because that revision had no need for such complicated software. (See Part 1 for details.)

Section 2, wherein firmware is forcefully extracted by use of hypodermic syringe and our heroes contemplate an intriguing fragment of a schematic diagram.

The 24C32 chip, like all I2C devices, uses two lines for communication. These are SDA and SCL. Addressing lines, allowing for multiple units of the same chip to reside on a board, are unused and tied to ground. Thus, the chip looks something like the following schematic.

To read the chip, it is necessary to have an I2C host adapter, such as the Total Phase Aardvark. So as to avoid soldering headers to the chip, I attached two of my syringe logic probes to the Aardvark's SDA and SCL lines. Power was shared through USB, negating the need to tie it into the target board. I tapped an unlabeled via near R23 for SDA and tapped SCL directly on a leg of the EEPROM. I2C's multi-master feature allows this to be done without disabled anything in the board.

Section 3, wherein our heroes--having extracted the firmware of the 24C32 of the EZ430U--conspire to similarly free the firmware of an I2C EEPROM of a much finer vintage.

Dumping firmware from similar chips on the green EZ430U and a USB-FET gave samples for comparison. The contents of the green board and the FET were nearly identical, differing only by a few bytes. They are also significantly smaller than the red firmware, even though the FET contains a larger EEPROM. Unused bytes are padded as 0xFF.

The most common complaint regarding the EZ430-RF series is that, unlike the original EZ430, there exist no Linux drivers for the board. By reflashing the firmware of both the MSP430 and the 24C32 chips, a red EZ430 can be reverted to the green firmware, making it compatible with Linux.

For those without access to an I2C programmer, it is worth noting that the MSP430 of this board is tied to the 24C32 EEPROM. It is possible to write an MSP430 firmware image that, upon booting, does nothing but reprogram the TUSB3410's ROM.